search

Neo23x0 / Raccine

A Simple Ransomware Vaccine
The Unlicense
942 stars 123 forks source link

Defender detects Raccine as a Trojan #88

Open atlantsecurity opened 3 years ago

atlantsecurity commented 3 years ago

Capture I think this is preventing it from running at all, because vssadmin delete /all in powershell did not kill the parent process.

atlantsecurity commented 3 years ago

https://www.virustotal.com/gui/file/1985c7c6930f2b58348af7f38d6015d1e0f1d3a6f5e9de762748f00c2d0d0e9f/detection

JohnLaTwC commented 3 years ago

After submitting the file to Defender as a FP, Defender now determines the file is clean: image

atlantsecurity commented 3 years ago

I also made a positive mark on VT

On 1 Nov 2020, at 16:16, John Lambert notifications@github.com wrote:

 After submitting the file to Defender as a FP, Defender now determines the file is clean:

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

SimonZerafa commented 3 years ago

With version 1.3b this issue has returned 😕

Neo23x0 commented 3 years ago

What's the detection name? What's the signature (security intelligence) version?

JohnLaTwC commented 3 years ago

In general, submitting a file with a False Positive to Defender's reporting portal will ensure a human analyst looks at it. I would include a link to this github repo (and also this page) as context when reporting: (https://www.microsoft.com/en-us/wdsi/filesubmission)

atlantsecurity commented 3 years ago

The problem is the presence of vssadmin strings and other indicators inside the file which will always mark it as a malware in most AV engines. There has to be a way past that, but that is the reason.

JohnLaTwC commented 3 years ago

We should be able to move all those detections to Yara now. I wonder if that will eliminate these AV detects since they won't be in the executable anymore.

Neo23x0 commented 3 years ago

The YARA feature won't be available on x86 platforms. The internal filters at least provide some kind of protection for these users. We could encode them base64, like malware authors do. :D

SimonZerafa commented 3 years ago

Hi,

Microsoft Defender is triggering on the 1.3.1b download. I can't actually download the file with Google Chrome, refuses to do so with a "Virus Detected" error.

Microsoft Defender is reporting Trojan:Win32/Woreflint.A!cl on Raccine_x86.exe and Trojan:Win32/Woreflint.A!cl on Raccine.zip when the download completes with Mozilla Firefox as the browser.

Security Intelligence version: 1.327.683.0 created on 10th November 2020

Extracting the files in the ZIP to the Raccine program folder results in multiple errors and warning on open files and files in use (Raccine is not running) that I can't be confident the files extracted and overwrote correctly.

As much as this project has great potential until these issues with false positives with Microsoft Defender can be resolved it's dead in the water. I've uninstalled for now to prevent Defender from having constant fits over the files 🤔

P.S. Windows Powershell now refuses to run once Raccine is uninstalled. The file is present but reports as missing when you runt manually from Explorer. Something in the Uninstall routine is broken, as is my Windows install now 🙁

Right. The IEFO options are NOT removed by the uninstaller. The Uninstaller is broken quite badly.

Neo23x0 commented 3 years ago

I don't think that the uninstaller is broken. The only thing that changes on your system and can be reverted easily are the registry patches.

You just have to run the file raccine-reg-patch-uninstall.reg manually, if everything else fails. (due to an Antivirus running amok)